Multiple Buffer overflows in the MMS Client in MZ Automation LibIEC61850 before commit 1f52be9ddeae00e69cd43e4cac3cb4f0c880c4f0 allow a malicious server to cause a stack-based buffer overflow via the MMS IdentifyResponse message.
The vulnerability results from lack of data length validation in the handling of MMS IdentifyResponse messages on the MMS client side. A malicious server can send a crafted IdentifyResponse containing data exceeding the stack buffer size, leading to a stack-based buffer overflow. The attack requires no authentication or user interaction — it is sufficient for the client to establish a connection with a malicious MMS server.
An attacker controlling an MMS server can execute arbitrary code (RCE) in the context of the client process, cause application failure, or gain full control over the system regarding confidentiality, integrity, and availability.
Update the LibIEC61850 library to a version containing commit 1f52be9ddeae00e69cd43e4cac3cb4f0c880c4f0 or newer, available in the manufacturer's GitHub repository. Additionally, it is recommended to restrict MMS connections to trusted servers only and to segment industrial networks.
MZ Automation LibIEC61850 in all versions preceding commit 1f52be9ddeae00e69cd43e4cac3cb4f0c880c4f0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMz Automation Libiec61850
APPMz-Automation< 1.6.0
Related vulnerabilities
Buffer overflow w MMS Client biblioteki LibIEC61850 (MZ Automation)
MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fb...
MZ Automation's libIEC61850 (versions 1.4 and prior; version 1.5 prior to commit a3b04b7bc4872a5a39e5de3fdc5fb...
An issue has been found in libIEC61850 v1.3. It is a heap-based buffer overflow in BerEncoder_encodeOctetStrin...
An issue has been found in libIEC61850 v1.3. It is a stack-based buffer overflow in prepareGooseBuffer in goos...